CVE-2019-12274Resource Exposure in Rancher Rancher

CWE-668Resource ExposureCWE-862Missing Authorization5 documents4 sources
Severity
8.8HIGHNVD
EPSS
0.2%
top 58.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Rancher RancherSuse Rancher
Timeline
PublishedJun 6
Latest updateAug 20

Description

In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The problem is that a user could choose to post a sensitive file such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

Gogithub.com/rancher_rancher2.0.02.2.4+2
NVDsuse/rancher1.0.01.6.28+1

🔴Vulnerability Details

4
OSV
Rancher Privilege Escalation Vulnerability in github.com/rancher/rancher2024-08-20
GHSA
Rancher Privilege Escalation Vulnerability2022-05-24
OSV
Rancher Privilege Escalation Vulnerability2022-05-24
CVEList
CVE-2019-12274: In Rancher 1 and 2 through 22019-06-06
CVE-2019-12274 — Resource Exposure in Rancher Rancher | cvebase